Don’t Use Grammatically-Correct Passwords (and journalism, Tesla, Bitcoin)

Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1 — should no longer be considered a secure password. What are you doing trying to summon the poor guy every day after your morning coffee anyway?

This also goes for any passwords that might conceivably be used as phrases anywhere on the Internet. A Hashcat update now supports passwords up to 55 characters, so eager hash-crackers have started slurping down all of Wikipedia, all YouTube comments, all of Project Gutenberg, you get the idea.

With a couple of graphics cards, it’s now cost-effective to go through a couple billion lines of potential-password database in the comfort of your man-cave. Say nothing for the likes of more serious attackers. (The guy in the article can see one notorious Utah datacenter from his window. Maybe password-cracking is an infectious predilection?)

The upshot of all this is that anything an ordinary person might type may get thrown against your password when/if someone tries to crack it on an offline basis.

So yes, you’re probably still safe* paying your respect to the Great Old One whenever you login to your webmail account… anyone with the ability to run Hashcat against that is likely to have the underlying goods already.

* In a relative way. Also, keep in mind the phrase has been bandied about as a password on ArsTechnica, so don’t actually do this.

The death spiral of establishment journalism… Classic Greenwald ranting, but that’s not why I’m posting it. One of the most controversial subjects in news is the decline of “old media” in all its forms. This decline happened in a very parallel fashion to “establishment journalism” giving up its role as a watchdog.

Given how it’s human nature to seek out drama and accurate information, I wonder if the move away from “true drama” like, say, Watergate was part and parcel of this. How to know — well, did SnowdenLeaks have a significant effect on the stature of the Guardian and WaPo? (I honestly don’t know, just tossing this out there as a theory.)

Since I mentioned Tesla, this website is remarkable:

Bitcoin may be the target of massive price manipulation:

“For a graphic example of passphrase weakness, consider the string “Ph’nglui mglw’nafh Cthulhu R’lyeh wgah’nagl fhtagn1” (minus the quotes). With a length of 51 and a 95-character set containing upper-
and lowercase letters, numbers, and special characters, its entropy is 284.9 bits. The total number of combinations required to brute-force crack it would be 9551, making such a technique impossible on any sort of computer known to exist today. What’s more, the string isn’t found in any language dictionary. No wonder password strength meters like this one use words such as “overkill” to describe it.

But as Ars recently reported, Chrysanthou had no trouble cracking the SHA1 hash that corresponded to the string for one simple reason. This is a fictional occult phrase from the H. P. Lovecraft short story “The Call of Cthulhu,” and it was contained in this Wikipedia entry.[…]

One force pushing the frontier of passphrase cracking is relatively new. oclHashcat-plus, the Hashcat version that can use dozens of graphics cards to simultaneously crack huge numbers of cryptographic hashes in seconds, was recently updated to tackle passphrases as long as 55 characters, breaking a previous 15-character limit. That brings turbo-charged cracking to a whole new length of passcodes. (John the Ripper and slower versions of Hashcat are still able to crack passwords with a length of 56 and above.)[…]

Encouraged with their results, Young, Dustin, Chrysanthou, and other crackers are tapping an ever larger pool of phrases. News websites, multilingual forums, public IRC logs, Wikipedia, Pastebin, e-books, movie scripts, and song lyrics are just some of the wells they’re drawing from. And of course, Facebook and other social networking sites are goldmines. For example, in May 2012, while cracking 160,000 MD5 hashes leaked from (a dating website for members of the US armed forces), Young and Dustin turned to Twitter to increase their supply of words and phrases used by people in the military.

A script Dustin wrote searched the microblogging service for a dozen or so terms that related to both the military and dating, such as “afghanistan” and “love.” The script then scraped the results and organized them in various ways. Of the 4,400 unique words or phrases they mined from the Twitter searches, 1,976 of them were all or part of actual passwords used by MilitarySingles users.

“On, people used passwords like ‘hooah’,” Dustin explained. “That’s not a word that will be in your dictionary, but by supplying the words ‘marines’ and ‘navy,’ you’re going to end up with words like ‘hooah’ in your list. With Twitter, it lets you target specific password users.”

More recently, Dustin has turned his attention to YouTube for the same reasons.

“I like YouTube comments because you have current garbage, stuff the way people say it, slang, misspellings, and things like that,” he said. “That’s the way people do their passwords quite often. You often find a lot of slang, and a lot of that slang doesn’t end up in a dictionary or even on Wikipedia or in a book.””

%d bloggers like this: